AWS Transfer or S3 VPC Interface EndPoint

Question

I have a requirement to SFTP ".csv" files from corporate on-premise linux box to S3 bucket.

The Current Setup is as follows:

The on-premise linux box is NOT connected to internet.
Corporate Network is connected with AWS with Direct Connect.
There are several VPCs for different purposes. Only One VPC has IGW and Public Subnet (to accept requests coming from Public Internet), all other VPCs do not have IGW and Public Subnets.
Corporate Network and several AWS VPCs (those having no IGW) are connected with each other through Transit Gateway.

Can someone please advise whether I should use AWS Transfer or S3 VPC Interface Endpoints to transfer files to S3 bucket from on-premise (corporate network)? and why?

I appreciate your valuable advise in advance.

You know you can use a PreSigned URL to upload as well as download. — Jeremy Thompson, Feb 06 '23 at 06:47
This is not a [programming question](https://stackoverflow.com/help/on-topic). — Martin Prikryl, Feb 06 '23 at 07:10

score 0 · Answer 1 · answered Feb 06 '23 at 11:18

0

You should Create a server endpoint that can be accessed only within your VPC - AWS Transfer Family.

Note that this is a special endpoint for AWS Transfer. It is not an endpoint for Amazon S3.

Alternatively, you could run an SFTP server on an Amazon EC2 instance, as long as the instance also has access to Amazon S3 to upload the files received.

Of course, I'd also recommend avoiding SFTP altogether and upload directly to Amazon S3 if it is at al possible. Using SFTP adds complexity and expense that is best avoided.

answered Feb 06 '23 at 11:18

John Rotenstein

241,921
22
380
470

Thank you John. In which scenario should I use AWS Transfer Family and which scenario should I use VPC Interface End Points for S3? As you have suggested, How can I avoid SFTP in this scenario? – Arunava Feb 07 '23 at 21:30
To avoid SFTP, simply don't use SFTP. If your goal is to transfer files to Amazon S3, then write a program that copies the files or use the [AWS Command-Line Interface (CLI)](http://aws.amazon.com/cli/) to copy the files. No need for using SFTP. This comes down to what your "requirement" is -- is it to get the files to S3, or is it to use SFTP to get the files to S3? Sending the files directly is simpler and has no cost, while using SFTP is more complex and has a cost for running AWS Transfer. – John Rotenstein Feb 07 '23 at 22:02
A VPC Endpoint for S3 simply provides a 'shortcut' to go from a VPC to Amazon S3 without going via the Internet. It is required if your VPC does not have an Internet Gateway. You mention that you have Transit Gateway, which _might_ provide a route to the Internet. If not, use a VPC Endpoint for S3 to allow the Linux box to talk with S3 without going via the Internet. Then, you can use the AWS CLI to copy the files. – John Rotenstein Feb 07 '23 at 22:04
Thnx a lot Jhon. Your explanations are Awesome. I have two scenarios to fullfil 1) Send files to S3 from On-premise (Connected to AWS with Direct Connect) and 2) Send Files created by ROSA (VPC has no IGW, connected to TransitGW) to S3. – Arunava Feb 09 '23 at 01:16
Great! None of them require SFTP (but I don't know what ROSA is -- I'm just hopeful!). – John Rotenstein Feb 09 '23 at 01:58
Thnx Jhon. ROSA -> Redhat Open Shift on AWS – Arunava Feb 10 '23 at 02:04

AWS Transfer or S3 VPC Interface EndPoint

1 Answers1